Daily Brief

North Korean group UNC5342 utilizes the EtherHiding technique to embed malware within smart contracts on public blockchains, targeting cryptocurrency through sophisticated social engineering. The Google Threat Intelligence Group reports this novel method, marking the first known use by a state-backed actor, leveraging Binance Smart Chain and Ethereum for malware distribution. EtherHiding offers anonymity, resistance to takedown efforts, and low-cost, flexible payload updates, complicating detection and response efforts. Attackers initiate campaigns with fake job interviews, tricking software developers into downloading malicious files disguised as coding tests from platforms like GitHub or NPM. The Jadesnow loader retrieves encoded payloads from blockchains, executing the InvisibleFerret malware to steal credentials and exfiltrate data via command and control channels. Credential-stealing targets include passwords, credit cards, and cryptocurrency wallets, with malware updates occurring frequently and at minimal cost. Organizations are advised to enforce strict download restrictions, control browser updates, and implement robust web access and script execution policies to mitigate risks.

Traditional Managed Detection and Response (MDR) services are becoming insufficient as businesses face continuous new exposures across hybrid infrastructures and distributed ecosystems. Unified Exposure Management Platforms (UEMPs) offer a proactive approach by continuously identifying, validating, and remediating vulnerabilities before adversaries can exploit them. The shift towards preemptive security is driven by increased regulatory scrutiny and the need for measurable risk reduction tied to business outcomes. UEMPs integrate asset discovery, vulnerability assessment, validation, and remediation, connecting technical evidence directly with business impact. These platforms use Breach and Attack Simulation (BAS) and Automated Penetration Testing to validate exploitability, providing actionable insights for security teams. By operationalizing the Continuous Threat Exposure Management model, UEMPs reduce potential dwell time from identification to mitigation, enhancing organizational resilience. Picus Security, recognized by Gartner, exemplifies this emerging category, offering platforms that unify discovery, validation, and remediation for comprehensive security posture management.

Microsoft has released a patch for a critical ASP.NET Core vulnerability in the Kestrel web server, rated 9.9 on the CVSS scale, marking it as their highest-ever score. The flaw, identified as CVE-2025-55315, involves request smuggling, allowing unauthorized actions such as user impersonation and bypassing security checks. The vulnerability affects all supported versions of ASP.NET Core, including pre-release versions, potentially impacting applications depending on their configuration and code. Developers are advised to update their .NET SDK or Kestrel.Core package to the latest versions to mitigate the risk, with a focus on evaluating specific application vulnerabilities. The issue is longstanding, affecting applications deployed using the framework-dependent model; updates must be applied at the server level in these cases. While no known exploits have been reported, Microsoft emphasizes the importance of patching promptly to prevent potential security breaches. Organizations should assess their application setups to determine exposure risk, especially those using Kestrel directly or behind a proxy.

Microsoft has launched a voice-activated feature for its AI-powered Copilot on Windows 11, allowing users to initiate conversations using the "Hey Copilot" wake word. This feature, tested by Windows Insiders since May, requires manual activation and is designed to improve user engagement with the Copilot app. Once activated, users will see a microphone icon and hear a chime, indicating that Copilot is ready to assist with tasks such as troubleshooting and app guidance. The wake word recognition operates offline using a local 10-second audio buffer, ensuring user privacy, although internet access is necessary for processing requests. Microsoft reports increased user interaction with Copilot when using voice commands, suggesting a trend towards more natural and intuitive user interfaces. Additional Copilot capabilities include generating Office documents and connecting with third-party accounts like Gmail and Google Drive, enhancing productivity and integration. Microsoft continues to expand Copilot's functionalities, including the recent introduction of Gaming Copilot and content-aware Copilot Chat for Microsoft 365 business customers.

Microsoft announced the Copilot Actions feature for Windows 11, enabling AI agents to perform tasks on local files and applications, enhancing productivity and efficiency. This new feature will initially be available to Windows Insiders through Copilot Labs, expanding on the web-based Copilot Actions introduced earlier this year. Copilot Actions transforms AI agents from passive assistants to active collaborators, capable of updating documents, organizing files, and more. Each AI agent operates within its own Agent Workspace, ensuring isolation and preventing interaction with the user's desktop environment. Security measures include distinct agent accounts, limited privileges, and cryptographic signing to ensure operational trust and compliance with Microsoft's privacy standards. Agents will initially access standard Windows data folders, with plans for more granular security controls to be introduced in the future. Feedback from the preview program will guide further development, with full release anticipated later this year as part of Microsoft's Secure Future Initiative.

U.S. Senator Bill Cassidy has requested Cisco clarify its response to critical firewall flaws, CVE-2025-20333 and CVE-2025-20362, which impacted at least one federal agency. The flaws prompted an emergency directive from CISA, requiring federal agencies to patch affected Cisco devices within 24 hours to mitigate significant risks. Cisco's Adaptive Security Appliance and Firepower Threat Defense devices were exploited by the ArcaneDoor campaign, linked to the Chinese-associated group UAT4356. Exploitation of these vulnerabilities began as early as May, with attackers deploying implants and exfiltrating data from compromised systems. Cassidy's letter emphasizes the need for Cisco to align its guidance with CISA's and ensure comprehensive communication with all affected customers. The senator's demands highlight the broader issue of vendor accountability, particularly for those providing critical infrastructure to both government and private sectors. Cisco has been given a deadline of October 27 to respond to the senator's inquiries, a timeline that tests its transparency and readiness to address security concerns.

Sotheby's experienced a data breach on July 24, compromising Social Security numbers and financial account information of an unspecified number of individuals. The breach was reported to Maine's Attorney General, with two residents confirmed affected; the total impact remains undisclosed. Despite regular system patching and robust security measures, the attackers successfully infiltrated Sotheby's systems, raising concerns about current cybersecurity protocols. Sotheby's is offering 12 months of credit and identity monitoring services through TransUnion to those affected, aligning with standard U.S. data breach responses. The breach follows a similar incident at Christie's in 2024, where data was auctioned rather than leaked, highlighting a potential trend in cybercriminal tactics. Security experts suggest auctioning data is a rare tactic, often used when a direct ransom payment is unlikely, posing a reputational risk to prominent brands. Sotheby's commitment to reviewing and enhancing security measures underscores the ongoing challenges faced by high-profile companies in safeguarding sensitive data.

Security Operations Centers (SOCs) face overwhelming alert volumes, with large enterprises managing over 3,000 alerts daily, leading to significant operational challenges. Traditional SOC models struggle to keep pace, with 40% of alerts going uninvestigated and 61% of security teams missing critical alerts. AI-driven SOCs are gaining traction, with 88% of organizations planning to evaluate or deploy AI-SOC platforms within the next year. AI-SOC platforms promise efficiency by automating alert triage, reducing false positives, and integrating seamlessly with existing security tools. The shift to AI-SOCs requires a mindset change, focusing on guiding AI systems rather than manual alert management. Key considerations for AI-SOC adoption include understanding platform architectures, evaluating risks, and ensuring transparency and human oversight. SACR's AI-SOC Market Landscape 2025 provides a framework for evaluating AI-SOC platforms, emphasizing the importance of explainability and integration with existing workflows. Radiant Security offers a unified AI-SOC platform, recognized for its unique value proposition, enabling comprehensive alert triage and cost-effective security operations.

Trend Micro identified a campaign, Operation Zero Disco, exploiting a Cisco SNMP vulnerability (CVE-2025-20352) to deploy Linux rootkits on older systems lacking endpoint detection solutions. The vulnerability, with a CVSS score of 7.7, allows remote code execution via crafted SNMP packets, targeting Cisco 9400, 9300, and legacy 3750G series devices. Despite Cisco's recent patch, attackers used the flaw as a zero-day, achieving unauthorized access by installing hooks into the Cisco IOS daemon memory space. Attackers employed spoofed IPs and Mac email addresses to evade detection and targeted systems without modern security measures, like Address Space Layout Randomization (ASLR). The rootkits set a universal password containing "disco," a play on "Cisco," and installed fileless components that disappear after a reboot, complicating detection and removal. Researchers observed attempts to exploit a modified Telnet vulnerability for memory access, though the exact functionality remains unclear. Organizations using affected Cisco devices should prioritize patching and consider enhanced security measures to mitigate future risks.

The UK tech sector has seen a 46% drop in graduate hiring, with an additional 53% decline expected, due to AI taking over entry-level tasks. Routine tasks such as coding and data analysis are increasingly automated, leading companies to prefer hiring experienced workers over training new graduates. Despite the decline in entry-level roles, IT, digital, and AI positions remain highly sought after, with 46% of organizations seeking these skills. AI is not yet widely used in recruitment processes, though 79% of employers are revising their methods to address potential candidate cheating with AI. Major tech firms like Salesforce and Microsoft have announced significant job cuts, replacing human roles with AI technologies. The trend could lead to a shortage of mid-level professionals in the future, as graduates struggle to gain initial work experience. Companies risk undermining their long-term talent pipeline by prioritizing short-term efficiency gains through AI deployment.

Penetration testing is essential for assessing IT security, but traditional methods can be costly and inefficient if not tailored to specific organizational needs. Administrative tasks, such as coordinating schedules and preparing system inventories, can disrupt regular operations and require significant employee time. Determining the scope of a pen test is complex and can lead to scope creep, increasing both time and financial costs. Indirect costs, including operational disruptions and remediation efforts, can further strain resources, emphasizing the need for careful planning. Budget management is challenging due to varied pricing models; organizations must choose between fixed-cost and time-and-materials approaches. Pen Testing as a Service (PTaaS) offers a customizable, cost-effective alternative, providing continuous coverage and flexible consumption models. By adopting a strategic approach, organizations can optimize pen testing investments, addressing vulnerabilities without excessive disruption or expense.

The U.S. Department of Justice seized $15 billion in cryptocurrency linked to forced-labor scam operations in Cambodia, Myanmar, and Laos, targeting victims through romance scams. The Prince Group, led by CEO Chen Zhi, orchestrated these scams, exploiting trafficked workers to defraud individuals worldwide under the guise of investment opportunities. The seized assets were stored in unhosted cryptocurrency wallets, with proceeds used for luxury purchases, including yachts and a Picasso painting. The U.S. and U.K. have designated the Prince Group as a transnational criminal organization, imposing sanctions on associated entities. Blockchain analytics revealed the funds were originally stolen from LuBian, a bitcoin mining operation in China and Iran. The scam, known as "pig butchering," has evolved into a large-scale fraud economy, overwhelming authorities with its rapid deployment of fraudulent websites. The case underscores the growing sophistication of cybercrime syndicates and the challenges faced by governments in combating such global fraud networks.

KNP Logistics Group, a 158-year-old British transport company, was forced to shut down after a devastating ransomware attack, resulting in over 700 job losses. The Akira ransomware group executed a double-extortion tactic, encrypting systems and threatening to release sensitive data to maximize ransom payment likelihood. Although there's no direct evidence of AI tools like PassGAN being used, the incident highlights the potential of AI-powered password attacks in modern cybercrime. AI-driven password attacks utilize machine learning algorithms to predict passwords by analyzing human behavior, marking a shift from traditional brute-force methods. The attack on KNP Logistics underscores the need for robust password management and security awareness to protect against increasingly sophisticated cyber threats. Businesses are urged to adopt advanced security measures, such as business password managers, to eliminate human predictability and enhance defense against AI-powered attacks. The incident serves as a stark reminder of the evolving threat landscape, where traditional security practices are often inadequate against AI-enhanced adversaries.

CISA has added a critical Adobe Experience Manager (AEM) vulnerability, CVE-2025-54253, to its Known Exploited Vulnerabilities catalog due to active exploitation. The flaw, with a CVSS score of 10.0, allows arbitrary code execution through a misconfigured servlet that evaluates user inputs as Java code. Affected systems include Adobe AEM Forms on JEE versions 6.5.23.0 and earlier; a patch was released in August 2025 to address this issue. The vulnerability is exploited via a crafted HTTP request, enabling attackers to execute system commands without authentication. Federal agencies are required to apply the necessary patches by November 5, 2025, to mitigate potential risks. The announcement follows the inclusion of another severe vulnerability in SKYSEA Client View, CVE-2016-7836, known for enabling remote code execution. Organizations using affected Adobe AEM versions should prioritize patching to prevent unauthorized access and potential data breaches.

Capita, a UK-based outsourcing firm, faced a £14 million fine from the ICO after a 2023 data breach exposed personal information of 6.6 million individuals. The breach impacted hundreds of Capita's clients, including 325 pension schemes, highlighting the extensive reach of the incident across multiple sectors. Hackers accessed Capita's internal network through a malicious file, exploiting vulnerabilities for 58 hours before deploying ransomware and exfiltrating nearly one terabyte of data. The Black Basta ransomware group claimed responsibility, threatening to leak stolen data unless a ransom was paid, illustrating the ongoing threat of ransomware actors. The ICO reduced the initial £45 million fine following Capita's acceptance of liability, security improvements, and provision of data protection services to affected individuals. Capita's response was criticized for delayed isolation of the breach, insufficient access controls, and inadequate staffing in their Security Operations Center. The company has since invested in strengthening its cybersecurity measures, and the financial penalty is not expected to affect its investor guidance.